The Hacker News — Cyber Security, Hacking, Technology News

Cybercrime has continued to evolve and today exists in a highly organised form.

Cybercrime has increasingly been commercialised, and itself become big business by renting out an expanded range of hacking tools and technologies, from exploit kits to ransomware, to help anyone build threats and launch attacks.

In past few years, we have witnessed the increase in the popularity of malware-as-a-service (MaaS), which is today a prosperous business on the underground black market that offers an array of services, including ransomware-as-a-service, DDoS-as-a-service, phishing-as-a-service, and much more.

Two such services have recently been spotted by two separate group of researchers, which we have detailed in this article.

Ovidiy Stealer — $7 Password-Stealing Malware For Everyone

A new credential stealing malware that targets primarily web browsers is being marketed at Russian-speaking web forums for as cheap as $7, allowing anyone with even little technical knowledge to hack as many computers as they want.

Dubbed Ovidiy Stealer, the malware was initially appeared just last month but is being regularly updated by its Russian-speaking authors and actively adopted by cyber criminals.

The Ovidiy Stealer malware currently has several versions in the wild, targeting people around the world, including the United Kingdom, the Netherlands, India, and Russia, according to security researchers at Proofpoint, who analysed the malware.

What's surprising is the Ovidiy Stealer's cost.

A single customizable build of this lightweight, easy-to-use, and effective malware product only costs between 450 and 750 Rubles (nearly $7 and $13), according to security researchers at Proofpoint, who uncovered and analysed the malware.

Despite its low price, the malware build executables are encrypted, which make them difficult to detect and analyse, though the report also notes that some antivirus products are detecting Ovidiy Stealer with its behaviour.

Written in .NET, the credentials stealer malware comes with the ability to target multiple applications and browsers, including Google Chrome, Opera, FileZilla, Amigo, Kometa, Torch, and Orbitum, but buyers can purchase a version that only works on a single browser.

The malware is being distributed via a number of methods, including malicious email attachments, malicious links to a download, fake software or tools offered on various file-hosting websites, and even within software packages.

Ovidiy Stealer itself is not very powerful and advanced, as it does not include any persistence mechanism that allows the malware to run after a reboot, but it has the potential to become widespread.

Ovidiy Stealer uses SSL/TLS connection for secure communication with the command and control server, which is hosted on a Russian domain — the same domain used to market and sell the malware.

"A lightweight, easy-to-use, and effective product coupled with frequent updates and a stable support system give Ovidiy Stealer the potential to become a much more widespread threat," the report concluded.

"Ovidiy Stealer highlights the manner in the cybercrime marketplace drives innovation and new entrants and challenges organisations that must keep pace with the latest threats to their users, their data, and their systems."

Hackshit — Easier Phishing Than Ever Before!

Another crimeware-as-a-service uncovered by researchers from Netskope Threat Research Labs detailed a Phishing-as-a-Service (PhaaS) platform that offers low cost, "automated solution for the beginner scammers," allowing them to trick people into handing over their credentials.

Dubbed Hackshit, the PhaaS platform attracts new subscribers by offering them free trial accounts to review their limited set of hacking tutorials and tricks to make easy money.

"The marketplace is a portal that offers services to purchase and sell for carrying out the phishing attacks," Netskope researcher Ashwin Vamshi says.

"The attacker then generates a phished page from the page/generator link and logs into the email account of the compromised victim, views all the contacts and sends an email embedded with the phished link."

Hackshit allows wannabe hackers (subscribers) to generate their unique phishing pages for several services, including Yahoo, Facebook, and Google's Gmail.

These crimeware-as-a-service poses a new security challenge because it not only allows malicious actors to leverage other cybercriminals' resources to conduct attacks, but also bringing wannabe hackers into the world of cybercrime.

Former Reuters journalist Matthew Keys, who was convicted last year of helping the Anonymous group of hackers, has been sentenced to 24 months in prison for computer hacking charges.

Keys was found guilty last year in October of giving Anonymous login credentials that allowed the group to deface the Los Angeles Times, a Tribune Media-owned newspaper, back in 2013.

After leaving the job at Tribune Company-owned Sacramento KTXL Fox 40 in 2010, Keys posted login credentials for the company's content management system (CMS) on a chatroom where hacking collective Anonymous planned out their operations.

The hacking collective then logged into the CMS and defaced an LA Times article that remained defaced for about 40 minutes before a journalist noticed and changed it back – though Keys still denies all allegations.

Keys faced a possible sentence of up to 25 years for three counts of hacking charges under the Computer Fraud and Abuse Act.

Although the US Attorney General's office recommended a 5-year sentence, Keys has been condemned to two years in jail that will be followed by 2 years of supervised release.

Keys is set to surrender on June 15, 2016. After sentencing, Keys went on Twitter and wrote: "When we do appeal, we're not only going to work to reverse the conviction, but try to change this absurd computer law, as best we can."

In a blog post published on Medium, Keys also said that he was innocent and that the charges against him are "baseless, absurd and entirely wrong." He also said he is committed to journalism no matter what happens.

"Whatever happens today, I hope I am able to continue serving the public with important stories of interest," Keys wrote. "Journalism is all I am good at, and I am not exactly sure what I will do if I am not able to do it anymore."

The Keys' case has drawn wide scale attention of media as he served as a deputy social media editor at Reuters. After he had been charged with the hacking crime in March 2013, Keys was released by Reuters from his position.

U.S. and European law enforcement agencies have shut down a highly sophisticated piece of the botnet that had infected more than 12,000 computers worldwide, allowing hackers to steal victims’ banking information and other sensitive data.

The law enforcement agencies from the United States, United Kingdom and the European Union conducted a joint operation to get rid of the botnet across the globe and seized the command-and-control server that had been used to operate the nasty Beebone (also known as AAEH) botnet.

What’s a Botnet?

A botnet is a network of large number of computers compromised with malicious software and controlled surreptitiously by hackers without the knowledge of victims.

Basically, a "botnet" is a hacker’s "robot" that does the malicious work directed by hackers.

Hackers and Cyber Criminals have brushed up their hacking skills and started using Botnets as a cyber weapon to carry out multiple crimes such as DDoS attacks (distributed denial of service), mass spamming, advertising revenue manipulation, cyber espionage, mining bitcoins, surveillance etc.

However, this is not first time we hear about a sophisticated botnet took down by law enforcement agencies.

Just two months ago, law Enforcement took down Ramnit botnet, which infected over 3.2 Million computers worldwide, and last year the FBI and Europol torn down the GameOver Zeus botnet, although it came back a month after its took down.

So, What’s new about Beebone Botnet?

Beebone botnet is a downloader software (kind of botnet downloader) that installs other forms of malicious software, including ransomware and rootkits, onto victims' machines without their even consent.

The size of the network it infected was not significant, but the operators managed to maintain control of the infected machines over the years by making Beebone botnet polymorphic in nature, so that it can update itself in order to avoid antivirus detection.

Here’s the Kicker:

Beebone botnet updates itself as many as 19 times a day which makes the malware slightly different threat from all the existing botnets as well as prevent botnet detection.

Once infected, the machines was ordered to "distribute malicious software, harvest users' credentials for online services, including banking services, and extort money from users by encrypting key files and then demanding payment in order to return the data to a readable state," the US Computer Emergency Response Team (US-CERT) said.

5 MILLION UNIQUE SAMPLES OF BEEBONE IN THE WILD

Initial figures show:

Beebone has infected over 12,000 computers, which seems to be a tiny number compared to other Zeus botnet infection in the past that infected millions of computers across the world.

However, it is believed that there are many more to come. According to Europol, currently there are more than 5 Million unique samples of Beebone botnet in the wild, with over 205,000 samples taken from a total of 23,000 computer systems between 2013 and 2014.

BEEBONE INFECTION WORLDWIDE

The footprint of Beebone botnet is worldwide:

Beebone infections spread across more than 195 countries. Most of the infections are reported in the United States, followed by Japan, India, and Taiwan, said Europol's Deputy Director of Operations, Wil van Gemert.

What’s the best part?

The Federal Bureau of Investigation (FBI) is currently working with other U.S. law enforcement agencies and Europol's European Cybercrime Centre (EC3), the Dutch National High Tech Crime Unit and the Joint Cybercrime Action Taskforce in order to combat Beebone.

Why Botnets re-emerged after took down?

The main reason, according to me, is that the author of the botnet did not get arrested.

It really doesn't matter how many domains the law enforcement took down or how many sinkholes security researchers create if the attackers not arrested…

...nobody can stop criminals from building new Botnet from zero.

Thus, I really appreciate the FBI effort to weed out GameOver Zeus botnet by announcing a reward of $3 Million for the information leading to the direct arrest or conviction of Evgeniy Mikhailovich Bogachev -- The alleged author of GameOver Zeus botnet that stole more than $100 Million from bank accounts.

Ransomware malware threat has forced somebody for the terrible suicide and once again has marked its history by somebody’s blood. Sad, but it’s True!

Joseph Edwards, a 17-year-old schoolboy from Windsor, Berkshire, hanged himself after receiving a bogus email appeared to be from police claiming that he'd been spotted browsing illegal websites and that a fine of 100 pound needed to be paid in order to stop the police from pursuing him.

The scam email pushed the well-known Police Ransomware onto the boy’s laptop and also downloaded malware that locked up his system once it was opened.

Edwards was an A-level student with Autism, a developmental disability, that likely made him more susceptible to believing the Internet scam mail, supposedly sent from from Cheshire police, was genuine, a coroner heard on Thursday.

Edwards was so upset and depressed by the accusation and the extortionate demand that he hanged himself hours after falling victim to the crucial threat. He was found hanged at his family home in Windsor by his mother Jacqueline Edwards, who told the coroner that he probably didn't understand the implications of his actions.

"He didn't seem to have any worries known to me. I don't think he really understood," Jacqueline Edwards told the coroner. "Joseph was subjected to a scam on the internet, a threatening, fake police link that was asking for money," his mother said in a statement. "He would have taken it literally because of his autism and he didn't want to upset Georgia [his sister] or me."

As far as we all know, a Police ransomware of this type does not encrypt files and usually asks a victim to pay a small fine that last around $200 or €200. It’s normally much easier to remove the threat from infected systems by using dedicated tools specially designed to remove such infections.

According to Detective Sergeant Peter Wall, it will be almost impossible to trace the fraudsters behind the 'crude' email, but believe it may have originated outside the UK.

This is not first time when Ransomware has become deadly reason to take someone’s life. Over a year ago, a Romanian family faced same Police Ransomware threat and the Romanian victim hanged himself and his four-year-old son, scarring that his young son would pay for his mistake and his life would be spend in the moment of delusion.

Ransomware is one of the most blatant and obvious criminal's money making schemes out there, from which Cryptolocker threat had touched the peak, and cyber criminals have developed many Cryptolocker versions (prisonlocker, linkup, icepole, cryptobit) by which you have to safeguard your system.

The joint operation by authorities of the U.S. Federal Bureau of Investigation (FBI) and European law enforcement seized Silk Road 2.0, an alternative to the notorious online illegal-drug marketplace last week, and arrested 26-year-old operator Blake Benthall, but that wasn't the end.

US and European authorities over the weekend announced the seizure of 27 different websites as part of a much larger operation called Operation Onymous, which led to take-down of more than "410 hidden services" that sell illegal goods and services from drugs to murder-for-hire assassins by masking their identities using the Tor encryption network.

"The action aimed to stop the sale, distribution and promotion of illegal and harmful items, including weapons and drugs, which were being sold on online ‘dark’ marketplaces," according to the Europol press release.

This globally-coordinated take down is the combined efforts of 17 nations which includes the law enforcement agencies in the U.S. and 16 member nations of Europol. The operation led to the arrest of 17 people, operators of darknet websites and the seizure of $1 million in Bitcoin, 180,000 Euros in cash, drugs, gold and silver.

According to U.S. authorities, Operation Onymous is the largest law enforcement action till now against the illegal websites operating on the Tor network, which helps users to communicate anonymously by hiding their IP addresses.

"We are not 'just' removing these services from the open Internet, said Troels Oerting, Head of Europol's EC3 (European Cybercrime Centre) cyber crime unit. "This time we have also hit services on the Darknet using Tor where, for a long time, criminals have considered themselves beyond reach. We can now show that they are neither invisible nor untouchable. The criminals can run but they can’t hide. And our work continues."

The authorities have not yet publicly disclosed the full list of the seized Tor websites, but it appears that less than 20% of the total darknet website have been shut down in the joint cyber crime operation including the seizure of Silk Road 2.0 earlier this week.

"Silk Road" was the notorious online illegal-drug marketplace that generated $8 million in monthly sales and attracted 150,000 vendors and customers. The FBI seized the darknet website in October of 2013 and after five weeks, Silk Road 2.0 was launched.

On Sunday, the Tor Project said it has no idea how the law enforcement authorities were able to identify the servers that were shut down last week as part of Operation Onymous. "We not contacted directly or indirectly by Europol nor any other agency involved," a spokesperson for the Tor project "Phobos" said in a statement.

One of the most intimidating issues that gives nightmares to IT teams across organizations is data breaches or data loss. Typically, data loss happens when security is compromised and corporate sensitive data is accessed. It might fall under any of these categories:

This can happen due to external security attacks like malware, hacking or sometimes even from an internal source such as a disgruntled employee. This calls for a data loss prevention (DLP) system in place that would help you contain and avoid the loss of data.

Data loss happens in many stages and can be broadly categorized into three categories:

Data in Motion: Data that moves through the network to the outside, in most cases using the Internet

Data at Rest: Data that rests in your database and other provisions for storage

Data at the Endpoints: Data at the endpoints of your network, say, data on USB and other plugged-in devices.

What is Data Loss Prevention?

DLP is a strategy to make sure that your sensitive data don't move outside of your network. It helps you reduce the risk of the disclosure of confidential information. With the continuous increase in cybercrime, it becomes all the more necessary to protect data breach across various stages.

Here are some focus areas that can help you minimize data loss:

1. Identify the Top Data Loss Scenarios

If you look into all the data loss scenarios thus far, you will be able to cull out a pattern as to which are the ones that have had the highest impact. Also there may be relatively minor data loss incidents but it might be occurring multiple times in a day.

Action item: Identify and classify data based on their sensitivity and keep an eye on their flow within the network and outside. Your classification can be based on the type of data as well, for example, customer data, financial data, etc. Once this is done, based on your security and compliance requirements, you need to build security policies. It is advisable to use a SIEM security tool that will correlate and alerts you in real time upon any security breach.

2. Actively respond to Security Incidents

Once the radar is lit up, security events, tend to pile up thick and fast. It is important to have a dedicated methodology to analyze and respond to all valid security events.

Action item: As you begin to monitor the log events in real time, you would be able to quickly spot security threats. You can deploy an efficient log management tool with active response technology that can help you mitigate and remediate violations and deliver automated responses based on the security incident.

3. Comply with Policy Regulations

If you are handling sensitive and confidential information, you need to be compliant with policy regulations such as FISMA, PCI DSS, HIPAA, etc. Based on the industry in which you operate. For example, if your business involves payment card transactions, you need to be PCI compliant as you are responsible for protecting the cardholder data when you receive it.

Action item: If you are PCI Compliant you need to encrypt the cardholder data with at least a 128 bit SSL certificate to meet this standard. It requires constant assessment and reporting and employees across different levels should get involved to make it effective. SIEM tools help you quickly uncover compliance policy violations by identifying attacks, and highlighting threats with real-time log analysis and powerful cross-device and cross-event correlation covering your entire infrastructure.

SolarWinds Log and Event Manager (LEM) help you quickly uncover policy violations and performs multiple event correlation to understand relationships between dramatically different activities. With it’s with real-time log analysis and powerful cross-device/cross-event correlation, LEM lets you effectively identify and respond to threats in real time, rather than being reactive.

LEM also provides over 300 pre-built “audit-proven” templates so you can easily generate and schedule PCI and other regulatory compliance reports, as well as customize reports for your organization's specific needs.

Security firm Trend Micro recent analyses the Russian crimeware markets and has found that malware tools and services range from one-time packages which cost just pennies to sophisticated packages and services which cost purchasers thousands of dollars per month.

If you want to buy a botnet it will cost you somewhere in the region of $700. If you just want to hire someone else’s botnet for an hour, though, it can cost as little as $2. There are at least 20 different types of services offered in Russian-speaking forums for just about anyone who wants to make a buck off of cybercrime, everything from crime-friendly VPN and security software-checking services to plain old off-the-shelf exploits.

"As the Russian underground community continuously modifies targets and improves technologies, security companies and users must constantly face the challenge of effectively protecting their money and the information they store in their computers and other devices," the company said in its report.

Email spams costs $10 per one million emails and Windows rootkits are priced around $292. You can even hire someone to hack a Gmail account for $162 or a Facebook and Twitter account for $130. Botnet leasing is actually rare in the underground market because it's not as lucrative as other services. "Hackers normally operate their own botnets because selling them is less profitable," the report says. Distributed denial-of-service (DDoS) attacks cost just $10 per hour.

Current prices on the Russian underground market:

Hacking corporate mailbox: $500

Winlocker ransomware: $10-20

Unintelligent exploit bundle: $25

Intelligent exploit bundle: $10-$3,000

Basic crypter (for inserting rogue code into a benign file): $10-$30

SOCKS bot (to get around firewalls): $100

Hiring a DDoS attack: $30-$70/day, $1,200/month

Botnet: $200 for 2,000 bots

DDoS botnet: $700

ZeuS source code: $200-$500

Windows rootkit (for installing malicious drivers): $292

Hacking Facebook or Twitter account: $130

Hacking Gmail account: $162

Email spam: $10 per one million emails

Email spam (using a customer database): $50-$500 per one million emails

Matthew Higgins, now 20 and a university student, hacked into his school computer system to obtain a girl's details and then boasted on a hackers' forum. Matthew is son of a police inspector. Caernarfon Crown Court heard it was the case of a clever young man caught red-handed.

The defendant says there is a conspiracy to fabricate evidence against him. Matthew first hacked the girl's file and then did a fake mail. In mail he claimed to be a constituent suggesting there was an insecure internet system at the school.

"Mr Higgins denies securing unauthorised access to computer data at Eirias High School in March last year and attempting to do so again two months later." BBC said.

The prosecution accused Mr Higgins of having "played a game of bluff and smoke screens" and trying to portray himself as a victim. The trial is continuing.